[Not exploitable] World writable address file after update to containerd.io 1.6.22 #9363
Description
Description
After updating containerd.io to version 1.6.22 (I'm using containerd.io-1.6.22-3.1.el8.x86_64), permissions in container specific address files are world writable (writable by user, group and others). Previously only user had write permission. Same issue is still present in containerd.io version 1.6.24 (containerd.io-1.6.24-3.1.el8.x86_64).
containerd.io 1.6.21
-rw-r--r--.
containerd.io 1.6.22 ->
-rw-rw-rw-.
This is a hardening issue which is reported by some configuration assessment tools (such as CIS-CAT Pro).
Steps to reproduce the issue
- Prepare environment with containerd.io version 1.6.22 or later 1.6.x
- Start any container in background, e.g.
docker run -dit alpine:latest - Show address file permissions for the created container
sudo ls -l /run/containerd/io.containerd.runtime.v2.task/moby/<CONTAINER ID>/address
Describe the results you received and expected
Permissions for the address file are:
-rw-rw-rw-. -> Too loose permissions (world writable)
They should be (as they previously were):
-rw-r--r--. -> OK, only writable by user
What version of containerd are you using?
containerd containerd.io 1.6.24 61f9fd8
Any other relevant information
runc version 1.1.9
I have tested this in RHEL 8.4 and RHEL 8.8 host environments.
Show configuration if it is related to CRI plugin.
No response